As most of you may have noticed, WebAPP has gone under a fairly heavy
audit and the changelog for 0.9.9.5:
http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250
Shortly after, 0.9.9.6 was released saying: "WebAPP had security audits
done by professionals, and several previously uncovered major security
issues were found, along with some more minor things that can negatively
impact security." They aren't releasing details yet to give web sites a
chance to upgrade.
Shortly after that, they released a patch to fix a remote cookie
manipulation based attack that can let a remote attacker take over the
admin account:
http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=crip&id=2
I'm a bit curious who the 'professionals' were that did the audit leading
to 0.9.9.6 and the details of the subsequent exploit.